[Virus Alert] 4 new worms found
Worm name: ETROJ_DROPPER.BCU
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This Trojan usually arrives on a system as an attachment to a spammed email message. Users are therefore advised to refrain from opening email messages that do not come from a trusted source.
Upon execution, it drops and executes several files in specified locations, including a file that is detected by Trend Micro as TROJ_AGENT.AHD. As a result, the routines of the related malware are also exhibited on the affected system.
Worm name: PE_DETNAT.D
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file infector propagates through network shares. It searches for shared drives and folders on an affected system and then infects all executable (.EXE) files residing on found shares.
Unlike previous PE_DETNAT variants however, this variant encrypts itself after compressing the target host file.
This file infector initially compresses the host file such that the host file serves as its .data section. It checks if the host's file size is between 16,384 Bytes and 2,097,152 Bytes. It avoids reinfection by checking and processing the first two double-word values of the .data section. It does this by determining if the target host file is present and already compressed in the said section. It creates the event, <?xml:namespace prefix = st1 ns = "urn:schemas-microsoft-com:office:smarttags" />Delphi, to achieve memory residency and then ensures that only one instance of itself is running in memory.
Worm name: PE_DETNAT.E
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This file infector propagates through network shares. It initially searches for shared drives and folders on an affected system then infects all executable (.EXE) files residing on found shares.
Notably unlike previous PE_DETNAT iterations, this variant encrypts itself after compressing the target host file. Additionally, it is able to remove its malicious codes from infected .EXE files once they are run under the condition that the file C:\Recycled\SVCH0ST.EXE does not exist. If the said file exists however, the .EXE file remains infected but a clean copy is placed in the current folder.
As a result, affected applications still appear to run normally despite the fact that it is infected, or that an infected copy is placed in the folder, C:\Recycled, and is run in the background. Thus, users may be unaware of this file infector's malicious activities.
Worm name: TROJ_SKOWR.A
Risk rating: HIGH
Damage Potential: HIGH
Distribution Potential: HIGH
Description:
This memory-resident Trojan may arrive as a dropped file or downloaded file by another malware application. It encrypts files of certain types, such as batch files, HyperText Markup Language (HTML) files, and text files, so that they can no longer be opened or executed by an affected user.
Malware of this kind are referred to in the antivirus industry as ransomware. They are known to be employed by malware authors for extortion. The said malware authors ask for a certain amount of money in exchange for a decryptor for the modified files so that they may be usable again.
The text file it drops serves as a "ransom letter" for the files this Trojan has encrypted. It contains specific instructions on how to acquire a decoder. Unlike other ransomeware that extorts money from users, this particular Trojan asks for game and Internet accounts. Details of the said text file are found here.
References: http://www.trendmicro.com/vinfo/ (TrendMirco Virus Security Info)
http://www.trendmicro.com/vinfo/zh-tw/default.asp (Traditional Chinese TrendMicro Virus Security Info
